Re: Kerberos Error Message

From: PC (paulm)
Date: 09/13/04 

Date: Mon, 13 Sep 2004 12:09:16 +0100

Thanks for the replies.

I think you are correct with regards to the time issue but I'm not sure how
to resolve this. Opti_Mystic_69 mention about what appears to be a
discrepency between the clinet and server times in my original post. It
would appear from my post that there is a discrepency but when I check the
servers there is no apparent discrepancies. All servers report the correct
time and date.

To back track, I have an on going problem where some clients receive an
error when logging on that there is a time discrepancy. This occurs although
I know for certain there is no time difference between client and server. I
order to enable authentication I have to restart the KDC on one of my DC
(This is one of 2 DC's but it doesn't host any fsmo roles.) Immediatly I
restart the KDC on this DC the user can logon.

This happens on only a few machines but nothing seems to work to fix it. I
have tried removing and rejoining the clients. Net diag tests on kerberos
and DNS seem fine.

Is there someway I could find out why I'm getting time discrepancy errors
and Time related Kerberos errors when there doesn't seem to be any
difference in time on the network?

Again thanks for your help

Paul

"Tim Springston [MS]" <tspring@online.microsoft.com> wrote in message
news:OaCvPMTmEHA.416@TK2MSFTNGP10.phx.gbl...
> Opti_Mystic_69 is correct, sounds like a time difference.
>
> A good resource for troubleshooting Kerberos errors is the relatively new
> whitepaper below:
>
> Troubleshooting Kerberos Errors
>
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/tkerberr.mspx
>
> --
> Tim Springston
> Microsoft Corporation
> This posting is provided "AS IS" with no warranties, and confers no
rights.
>
>
> "opti_mystic_69" <anonymous@discussions.microsoft.com> wrote in message
> news:030901c4979c$a808d520$a501280a@phx.gbl...
> > Paulm,
> >
> > The error you are receiving (0x20) indicated that the
> > Ticket Granting Ticket has been revoked. This is usually
> > related to a date / time problem, as TGT's are time
> > sensitive. I noticed that in the text of the error you
> > posted that your server date indicates as 10/9/2004 and
> > your client date indicates as 9/9/2004. Also, there
> > appears to be a difference of an hour between the two
> > clocks. Perhaps you should verify that the date and time
> > on both server and clients are synchronized...? I believe
> > that this is the root of the issue.
> >
> > Hope this helps. Please post back with any more questions.
> >
> > Opti_mystic_69
> >
> >
> >>-----Original Message-----
> >>Hi,
> >>
> >>Hi Have a windows 2000 domain controllor. This server
> > doesn't perform and
> >>Operations master roles. I have turned on Kerberos
> > logging as I have been
> >>having some time sycronisation problem with some clients
> > on the network.
> >>
> >>I'm receiveing a kerberos error every few hours (The
> > doesn't seem to be any
> >>pattern as to when these errors occur). I have looked at
> > eventID (EventID
> >>talks about domain trusts but this is a single domain
> > with no trusts) and
> >>searched on google but I can't find anything about this
> > specific error (Note
> >>in the error code: 0x20). The error is as follows:
> >>
> >>Event Type: Error
> >>Event Source: Kerberos
> >>Event Category: None
> >>Event ID: 594
> >>Date: 10/09/2004
> >>Time: 02:26:05
> >>User: N/A
> >>Computer: DCServer1
> >>Description:
> >>A Kerberos Error Message was received:
> >> on logon session InitializeSecurityContext
> >> Client Time:
> >> Server Time:
> >> Error Code: 1:26:5.0000 9/10/2004 (null) 0x20
> >> Extended Error: KRB_AP_ERR_TKT_EXPIRED
> >> Client Realm:
> >> Client Name:
> >> Server Realm: MyDomainName
> >> Server Name: krbtgt/MyDomainName
> >> Target Name: krbtgt/MyDomainName@MyDomainName
> >> Error Text:
> >> File:
> >> Line:
> >> Error Data is in record data.
> >>
> >>For more information, see Help and Support Center at
> >>http://go.microsoft.com/fwlink/events.asp.
> >>
> >>
> >>Does anybody know why I'm receiving this error or where I
> > can find more
> >>information about it.
> >>
> >>Thanks
> >>
> >>
> >>Paul
> >>
> >>
> >>.
> >>
>
>

Relevant Pages

  • Re: Kerberos Error Message
    ... the domain controller which you reboot to alleviate the problem? ... > I know for certain there is no time difference between client and server. ... >> A good resource for troubleshooting Kerberos errors is the relatively new ...
    (microsoft.public.win2000.security)
  • Re: Certificate and Kerberos event errors 0xc1001014 & 0xc0000071
    ... Kerberos and Authentication Troubleshooting ... Troubleshooting Kerberos Errors ... Event Source: Live Communications Server ... Unable to use the default outgoing certificate. ...
    (microsoft.public.windows.server.active_directory)
  • Re: NetBIOS Share Device and Kerberos authentication errors?
    ... it slipped out of synchronisation with the time on the main server, ... will cause Kerberos errors if the time difference is more than 5 minutes (by ... We use these 'non-domain' accounts to attach to the shared drives- ... Maybe specify that this NetBIOS Device share/account is ...
    (microsoft.public.windows.server.sbs)
  • Kerberos Errors on server
    ... We have a server that is on an intranet. ... We have been noticing a large number of Kerberos errors in our system log. ... Client Realm: ... Their access is completely via our IIS application; ...
    (microsoft.public.win2000.active_directory)
  • Kerberos Errors on server
    ... We have a server that is on an intranet. ... We have been noticing a large number of Kerberos errors in our system log. ... Client Realm: ... Their access is completely via our IIS application; ...
    (microsoft.public.win2000.general)